Companies monitoring traffic... just what is monitored?

I hope this is the right forum for this... a friend of mine is working at a company that (claims to) monitor all traffic. Which is not generally a problem, because he's not going to be fired for posting to facebook.

However, I wonder what the extent of monitoring capabilities available is. Are we talking about "person X connected to facebook at 3:15pm," or "person X used Google Voice to send a text message saying Y."

The latter would be more of an issue. Would it make a difference here if https is used?

The latter would be more of an issue. Would it make a difference here if https is used?

If the company owns the network and the endpoints, they can see essentially anything you do, regardless of HTTPS, via MitM and heavily enforced proxying.

We "monitor all traffic" but that essentially means we inspect for known bad destinations, malware content, C&C connections, etc. We don't really care if you go to facebook...but we block certain facebook apps. Streaming music is fine...but torrenting is not. Mainly, we're concerned about DLP and operational costs resulting from C&C/other malware.

If your friend wants privacy, he should use a smartphone on 3G/4G, or wait until he gets home.

The latter would be more of an issue. Would it make a difference here if https is used?

A company can monitor anything they pay for. A company pays for anything that has value. So it will only matter if they believe it is worth spending money on stopping your friend's activity.

Quote:

From what I recall, a third of all data transfered at my work place (academia) at any given time is porn. I don't want to know... I'm just hoping that includes (is limited to?) the dorms.

Probably pretty close to it. If academics weren't shuffling around such large files, porn would be a higher percentage. If your stats were looking at connections, rather than bandwidth, I'm sure porn would grab a LOT higher percentage.

The latter would be more of an issue. Would it make a difference here if https is used?

If the company owns the network and the endpoints, they can see essentially anything you do, regardless of HTTPS, via MitM and heavily enforced proxying.

We "monitor all traffic" but that essentially means we inspect for known bad destinations, malware content, C&C connections, etc. We don't really care if you go to facebook...but we block certain facebook apps. Streaming music is fine...but torrenting is not. Mainly, we're concerned about DLP and operational costs resulting from C&C/other malware.

If your friend wants privacy, he should use a smartphone on 3G/4G, or wait until he gets home.

I'll add to this, basically if the company is able to install a CA certificate onto your machine (say, they install it when they do the build for you, or install it on the OS that comes with it and hand it to you), then they can do man in the middle attacks and see all of your unencrypted Facebook/Gmail/etc. However, if it is your personal phone/tablet that they have not installed the CA certificate on, then they can't snoop like that without you knowing about it (you'll see a warning that the HTTPS certificate doesn't match). Anything unencrypted they can always monitor, which includes DNS lookups. So don't go looking up pr0n websites even if all of the contents are encrypted.

They have the legal authority to see everything since they own the network, and probably the PC you are using to access it. However even those places that spend the money for the equipment and software to monitor everything often don't hire anyone to carefully watch it. It might be a task of some network or security admin but unless you end up on some automated list of people who try to get porn at work or you end up on some top ten list of most time spent surfing the internet or most data consumed it is unlikely they will notice you in most work places.

I would not worry too much about it. In most jobs in the US, your employer doesn't need cause to fire you anyway.

I go drinking with the IT guys at my company occasionally and we've talked about this. They are able to monitor EVERYTHING. However, they don't have the time or the inclination to look at the vast amounts of emails/IM/browsing history/etc unless they've been specifically instructed to do so, which generally only happens if a person is under investigation for other reasons like not doing their jobs or using a huge amount of bandwidth.

So basically as long as your friend isn't doing anything stupid and is continuing to get his work done it's not worth worrying about.

I go drinking with the IT guys at my company occasionally and we've talked about this. They are able to monitor EVERYTHING. However, they don't have the time or the inclination to look at the vast amounts of emails/IM/browsing history/etc unless they've been specifically instructed to do so, which generally only happens if a person is under investigation for other reasons like not doing their jobs or using a huge amount of bandwidth.

So basically as long as your friend isn't doing anything stupid and is continuing to get his work done it's not worth worrying about.

Hands-on monitoring is seldom done. Having shit flagged and forwarded to someone/somegroup for review is fairly SOP, though.

To GByteKnight's point, however, this stuff is usually just tossed into a folder somewhere: to be pulled out when someone is looking for just that extra little excuse to shitcan you.

The shit I've seen due to email and filtering automation... I cannot unsee. And some of it has gone on to be used to fire people - not for cause (because I've only worked in "at will" States) - but maybe someone was looking to change up personnel anyway, or fire someone anyway, or replace someone anyway, and one or more pieces of shit coming across what's supposed to be company / professional e-mail was all it took to set them into action.

Alternatively, it can change people's view of you. Maybe you're a great upstanding person who is constantly being caught by filtering systems looking at porn while you're on the shitter. Several flags later and now your boss thinks you're either (1) awesome and just like him/her or (2) a sick fuck. Who knows?

If the company owns the network and the endpoints, they can see essentially anything you do, regardless of HTTPS, via MitM and heavily enforced proxying.

This isn't as true as it used to be. For example, if you're using Chrome or Chromium (and assuming no underlying bugs), it is not possible to use a non-Google SSL certificate for Google (and select other) sites automatically. Users can even restrict any website to 1) absolutely require SSL, and 2) specify which CAs are allowed to verify that certificate.

Remember the *.google.com certificate issued by Diginotar?

For properly configured Chrome and Chromium, it is not possible to conduct a MitM attack on SSL protected website that have properly "pinned" certificates.

The way that Google allows user-based installs also helps limit what settings IT can enforce, but it's certainly not perfect. It's possible to restrict these types of installs, and management utilities could still muck with user settings, although I think that is beyond the capability of most IT grunts.

You're always better safe that sorry, but from a technical perspective there are some effective protections.

There are still ways to leak data about what you're doing. The first two things that spring to mind are DNS queries and on-disk cache.

Edit: More details about HSTS, which I incorrectly called certificate pinning.

For properly configured Chrome and Chromium, it is not possible to conduct a MitM attack on SSL protected website that have properly "pinned" certificates.

As Frennzy said, if you're on a work computer and they can configure it, you're screwed. They'll just change the settings for pinned certs, or unpin them. Even failing that, you could easily call your CA VerisignClass3 and call it a day. It's not like you let your users talk to the real VerisignClass3 CA or any CRLs.

Quote:

Hands-on monitoring is seldom done. Having shit flagged and forwarded to someone/somegroup for review is fairly SOP, though.

Depends on the company. We have an Asset Protection group, which is meant to protect assets from the outside AND inside. If a manager wants to spy on their employees, they have to file a request with AP to have *them* do the monitoring. If they try to fire their report with email or IM logs they ferreted out without APs involvement, well, someone's still getting fired... But other companies have no such policies and allow anyone to snoop, or they actually do manual investigations if they have that few people. I've known at least one BOFH to report people for visiting porn sites with no request to do such investigations - but only after letting them do it for a while, so he could suss out their user/pass information first.

Don't browse anything you wouldn't want shown at the company all hands meetings.

I actually wanted to do this : post the SurfControl logs (small company, ~75 people) publicly, after a period of education and warning. Keep everyone honest, right? Instead of having everyone think that IT (me) was the dirty panty-sniffer that watched over everyone's shoulder.

HR shot it down with an interesting reason : HIPAA. If someone has a condition they're researching, or visiting the site of a mental health or abuse counselor, etc, then it might be a HIPAA problem.

And honestly, it might have caused more problems, because now you risk have 40-60 people complaining about how much time other people spend on the web. But I still think it would have been a cool experiment.

The way that Google allows user-based installs also helps limit what settings IT can enforce, but it's certainly not perfect. It's possible to restrict these types of installs, and management utilities could still muck with user settings, although I think that is beyond the capability of most IT grunts.

I'm not sure what IT grunts you work with, but we can and do enforce any multitudes of settings. Quite simply, if you are on one of our company issued machines, connected to our network...we *can* see whatever you do. Chromium or not (which we could remove by policy enforcement if we so chose...we do not), you aren't getting to anything without going through my DNS and the corporate proxy service. CAs are issued by us, and we can redirect any other CA/hostlookup you wish to try and use.

Bottom line is, even IF you do all those things you mention, you still can't be sure. Why risk it?

And honestly, it might have caused more problems, because now you risk have 40-60 people complaining about how much time other people spend on the web. But I still think it would have been a cool experiment.

You do NOT want to do this. Period. Full stop. One of our top searches for a while was "black man on the down low". Gee, I bet publicizing that would have gone over well, right? Any responses you get to the urls or terms from your employees are going to be FAR worse than a mere HIPAA violation.

They are able to monitor EVERYTHING. However, they don't have the time or the inclination to look at the vast amounts of emails/IM/browsing history/etc unless they've been specifically instructed to do so

This.

I work for a fairly large enterprise (~100K employees on five continents) and am in the IT organization. Policy is to monitor everything within the bounds of the law. In Europe, there are laws regarding what employers can monitor and what they cannot, in addition to other restrictions imposed by contractual obligations (not necessarily blue-collar union). In the US all non-SSL traffic is tracked. Picking up things that would be SSLized (bank statements, credit cards, medical records etc) can get the company far enough into a legal gray area to make it lawsuit territory.

None of this matters anyway since the volume of logs is immense. There is no budget to store them beyond a couple weeks or so, nor to analyze them in a meaningful way. You might get popped if you've already given HR a reason to investigate, or if you're hitting the porn really, really hard during work hours. Other than that - no.

I'm not sure what IT grunts you work with, but we can and do enforce any multitudes of settings. Quite simply, if you are on one of our company issued machines, connected to our network...we *can* see whatever you do.

Wanna bet?

(If you're giving your users physical access to the machines, they can circumvent anything you try to do. Most won't know how. Few of the ones that do will even try. But there's very little actually stopping them if they did want to.)

I'm not sure what IT grunts you work with, but we can and do enforce any multitudes of settings. Quite simply, if you are on one of our company issued machines, connected to our network...we *can* see whatever you do.

Wanna bet?

(If you're giving your users physical access to the machines, they can circumvent anything you try to do. Most won't know how. Few of the ones that do will even try. But there's very little actually stopping them if they did want to.)

Except the long, long arm of company enforced domain policies that only ever let you execute approved executables Although even there...there's a few things you could do to hijack and view unapproved content. iFrame is your friend!

I'm not sure what IT grunts you work with, but we can and do enforce any multitudes of settings. Quite simply, if you are on one of our company issued machines, connected to our network...we *can* see whatever you do.

Wanna bet?

(If you're giving your users physical access to the machines, they can circumvent anything you try to do. Most won't know how. Few of the ones that do will even try. But there's very little actually stopping them if they did want to.)

Except the long, long arm of company enforced domain policies that only ever let you execute approved executables Although even there...there's a few things you could do to hijack and view unapproved content. iFrame is your friend!

Chrome and Firefox are mostly banned here because they can't inject these MITM certificates. (I'm sure you guys could do it, but not our folks) They actually scan machines and send out emails CC'ing management that you must uninstall them.

Luckily I'm allowed to run Firefox and they only do the MITM with Ironport on some domains such as google.com. Others like my bank seem to work, but I assume it is also compromised and I just haven't noticed.

I'm not sure what IT grunts you work with, but we can and do enforce any multitudes of settings. Quite simply, if you are on one of our company issued machines, connected to our network...we *can* see whatever you do.

Wanna bet?

(If you're giving your users physical access to the machines, they can circumvent anything you try to do. Most won't know how. Few of the ones that do will even try. But there's very little actually stopping them if they did want to.)

Except the long, long arm of company enforced domain policies that only ever let you execute approved executables Although even there...there's a few things you could do to hijack and view unapproved content. iFrame is your friend!

Is it REALLY worth it, though? That's a battle that the company will always win, because the companies that don't want users doing those kinds of things simply make that against the rules. You don't fight that fight with technology--you fight it with policy.

Some employers don't care and some do; I've worked at both types. At the ones that DO care, rather than try to outsmart the user, they'd simply forbid it and make it punishable by warnings & eventual termination.

I'm not sure what IT grunts you work with, but we can and do enforce any multitudes of settings. Quite simply, if you are on one of our company issued machines, connected to our network...we *can* see whatever you do.

Wanna bet?

(If you're giving your users physical access to the machines, they can circumvent anything you try to do. Most won't know how. Few of the ones that do will even try. But there's very little actually stopping them if they did want to.)

Except the long, long arm of company enforced domain policies that only ever let you execute approved executables Although even there...there's a few things you could do to hijack and view unapproved content. iFrame is your friend!

Is it REALLY worth it, though? That's a battle that the company will always win, because the companies that don't want users doing those kinds of things simply make that against the rules. You don't fight that fight with technology--you fight it with policy.

Some employers don't care and some do; I've worked at both types. At the ones that DO care, rather than try to outsmart the user, they'd simply forbid it and make it punishable by warnings & eventual termination.

In addition to this, some companies (primarily call centers) run screen capture software to watch your entire session and randomly QA it. Eventually, smart people screw this stuff up and get caught.

I'm not sure what IT grunts you work with, but we can and do enforce any multitudes of settings. Quite simply, if you are on one of our company issued machines, connected to our network...we *can* see whatever you do.

Wanna bet?

(If you're giving your users physical access to the machines, they can circumvent anything you try to do. Most won't know how. Few of the ones that do will even try. But there's very little actually stopping them if they did want to.)

Except the long, long arm of company enforced domain policies that only ever let you execute approved executables Although even there...there's a few things you could do to hijack and view unapproved content. iFrame is your friend!

Is it REALLY worth it, though? That's a battle that the company will always win, because the companies that don't want users doing those kinds of things simply make that against the rules. You don't fight that fight with technology--you fight it with policy.

That doesn't make any sense. Employees will just violate the policy.

I have three experiences with dealing with overzealous IT departments that tried to block things. The IT department lost on every occasion.

Only company laptops are allowed to connect to the LAN, and the laptops have management software that limits what websites can be visited (and software installed). Well, a company laptop is identified by MAC address. I brought my own laptop and changed the MAC address. Problem solved.

Company did not allow any virtualization software under any circumstance. I was a developer and needed to run Linux VMs. My boss and I told IT to go fuck themselves. Problem solved.

Company only allowed IE and used a centralized web proxy that drastically limited what sites could be visited. (They probably did MITM on IE, but I don't know for sure.) IT was too incompetent to block local installs of Chrome, and I just ran a Squid proxy in a data center. Problem solved.

It's too difficult to block all attack vectors. Those three situations were all at different companies, and IT couldn't do anything about them. I didn't even have to try anything exotic to get around their restrictions. Unless IT treats the users as hostile attackers (and is highly competent), they don't even have a chance. And if they successfully do cordon off their users, then politics comes into play, and IT (in my experience) loses badly.

I've seen employees get written up for violating the policy, but never fired, because stuff like "I want to stream music" and "I need to make facebooks but you've blocked facebook" are never worth losing your job over.

IT isn't (or shouldn't be) a horrible productivity-defeating monster that makes capricious rules for no reason--IT should be enforcing company policy. The no tunneling rule, for example--that's not mean, that's risk mitigation. MITM'ing SSL certificates is the same idea. They shouldn't have those kinds of policies in place just to fuck you over, but rather in response to specific management edicts to prevent loss or mitigate risk.

If you need to run a Linux VM and IT says "fuck you no," there's probably lots of reasons why. Do they offer VMs as a service that you or your manager can use via a charge code or something similar? they'd want you useing that instead of personal VMware because their service is based on servers in their data center and is properly monitored and backed up.

Plugging in your personal laptop to the corporate network at the big aerospace company at which I worked for ten years wouldn't have worked. It also would have lead to a walk-up visit by the security group within about ten minutes.

If you legitimately feel like IT isn't letting you do your job, it's best to start asking why, and then trying to change from within. Obviously I don't know anything specific about your or your situation, so everything I'm saying is general, but IT should (again, SHOULD) be enforcing policies with clear goals. Those goals, however, aren't always "to do what a user ants" or "to make a user's job easier." Those goals should be for the overall benefit of the business. For example, just pulling this out of the air, but "Install this software I want" isn't necessarily something IT should just do without approval. Is there a standard piece of software that does mostly the same thing? That software's been approved and purchased through an approved supplier and enterprise-licensed and its installation can be tracked and attached to an operating group's budget.

Painting IT policy enforcement as a war between users & IT is damaging for both sides. IT's policies should be flexible and based on management's objectives, and IT cannot afford to be capricious; users should realize that the rules aren't just there to piss them off and keep them from working.

Chrome and Firefox are mostly banned here because they can't inject these MITM certificates.

You can do it with Chrome and FF, but it's easier to use GPO updates to restrict IE to using your proxy, or blocking other proxies. Chrome allows that, but it may not be baked into their GPO management system, and FF is not very GPO friendly at all.

Quote:

Painting IT policy enforcement as a war between users & IT is damaging for both sides. IT's policies should be flexible and based on management's objectives, and IT cannot afford to be capricious; users should realize that the rules aren't just there to piss them off and keep them from working.

At CPX I heard it described well from the technology side: URL filtering enforces HR policies, Application Control enforces IT policies. The sooner we move from one to the other, the better.

People still work for companies that don't allow them to bring their own laptops? I thougth smartphones and tethering pretty much got every IT department to back off their network control policies related to workplace time/task enforcement...

People still work for companies that don't allow them to bring their own laptops? I thougth smartphones and tethering pretty much got every IT department to back off their network control policies related to workplace time/task enforcement...

How many industries have you worked in? Not too many defense-related ones, or old ones (or old companies), I'm guessing.

Is it REALLY worth it, though? That's a battle that the company will always win, because the companies that don't want users doing those kinds of things simply make that against the rules. You don't fight that fight with technology--you fight it with policy.

Some employers don't care and some do; I've worked at both types. At the ones that DO care, rather than try to outsmart the user, they'd simply forbid it and make it punishable by warnings & eventual termination.

Of course it isn't. Nowhere did I suggest, or even imply, that anyone should be bypassing their corporate IT policies. Very few people have a free pass for issues they might "accidentally" discover with internal systems. And with smartphones becoming commonplace there's zero reason to bother. The point was simply that the technical barrier is vanishingly low, and that no one should be pretending otherwise.

Well, there are places where having a personal cellphone inside the office building is also a firing offense, and possibly cause for an investigation as well. Conveniently, they provide nice little day-use lockers outside each entrance to make it easy to comply .

=Painting IT policy enforcement as a war between users & IT is damaging for both sides. IT's policies should be flexible and based on management's objectives, and IT cannot afford to be capricious; users should realize that the rules aren't just there to piss them off and keep them from working.

I'm not saying that it's a constructive relationship, but "we didn't start the fire."

As a developer who works in a large, largely non-development-oriented company, IT tends to be a humongous pain. They have no clue what we do, and honestly, it's not even worth trying to get them to change the policies. Get enough political clout to do what we want and call it a day.

That certainly puts IT between a rock and a hard place, but they built both, and I don't have enough sympathy to do their job (writing policies that work for everyone), too.

=Painting IT policy enforcement as a war between users & IT is damaging for both sides. IT's policies should be flexible and based on management's objectives, and IT cannot afford to be capricious; users should realize that the rules aren't just there to piss them off and keep them from working.

I'm not saying that it's a constructive relationship, but "we didn't start the fire."

As a developer who works in a large, largely non-development-oriented company, IT tends to be a humongous pain. They have no clue what we do, and honestly, it's not even worth trying to get them to change the policies. Get enough political clout to do what we want and call it a day.

That certainly puts IT between a rock and a hard place, but they built both, and I don't have enough sympathy to do their job (writing policies that work for everyone), too.

I've found that a "one policy for all" usually fails when you try and apply it to Sales/Marketing types and also to Developers. We have an un-official "Don't Ask / Don't Tell" policy between Developers and IT and this works quite well.

That's really unfortunate, and speaks to significant failures on both sides of the table. If they don't understand what you do to such an extent that their policies literally make it impossible for you to do your job and you have to break them to get work done, then your group likely doesn't have any idea why those policies are in place.

I don't know anything about your situation other than what I'm reading here, obviously, and it very well could be that you've just got a power-mad IT group run in isolation from the business's needs by some kind of crazy asshole IT director. It does happen sometimes. But, again, IT shouldn't make policy. IT should be implementing policies based on direction from management to protect the business's interests and to enable the business to function safely and effectively. That doesn't mean "do anything the users want all the time," but it certainly does mean making sure that everyone has what they need to work.

Need doesn't always equal want, and my first job out of college was an IT startup company that was run by developers for developers, essentially, and they ran it directly into the ground because there were insufficient controls and policies in place on who could buy and implement things (think "devops" running wild--mad hardware purchasing sprees, testing in production, insanity). IT should be a gatekeeper, but only inasmuch as needed to help the business function. IT shouldn't be making policy in a vacuum.

It's depressing to read outright hostile posts toward IT, especially from developers who've had bad experiences with their IT groups. IT and dev should be partners helping each other out; each knows things that the other doesn't, and when they both recognize this and work together, good things happen. When either IT or dev decide they don't need the other, both end up being very, very wrong.

It's depressing to read outright hostile posts toward IT, especially from developers who've had bad experiences with their IT groups. IT and dev should be partners helping each other out; each knows things that the other doesn't, and when they both recognize this and work together, good things happen. When either IT or dev decide they don't need the other, both end up being very, very wrong.